Clarify requirements for creating a cross-user Channel. (#12181)

jdcormie · web-flow · commit 74aee11389b6 · 2025-06-26T17:43:13.000-07:00
The @Systemapi runtime visibility requirement isn't really new. It has always been implicit in the required INTERACT_ACROSS_USERS permission, which (in production) can only be held by system apps. The SDK_INT >= 30 requirement was also always present, via @RequiresApi() on BinderChannelBuilder#bindAsUser. This change just updates its replacement APIs (AndroidComponentAddress and TARGET_ANDROID_USER) to require it too.
diff --git a/binder/src/main/java/io/grpc/binder/AndroidComponentAddress.java b/binder/src/main/java/io/grpc/binder/AndroidComponentAddress.java
@@ -250,7 +250,22 @@ public Builder setBindIntentFromComponent(ComponentName component) {
       return this;
     }
 
-    /** See {@link AndroidComponentAddress#getTargetUser()}. */
+    /**
+     * Specifies the Android user in which the built Address' bind Intent will be evaluated.
+     *
+     * <p>Connecting to a server in a different Android user is uncommon and requires the client app
+     * have runtime visibility of &#064;SystemApi's and hold certain &#064;SystemApi permissions.
+     * The device must also be running Android SDK version 30 or higher.
+     *
+     * <p>See https://developer.android.com/guide/app-compatibility/restrictions-non-sdk-interfaces
+     * for details on which apps can call the underlying &#064;SystemApi's needed to make this type
+     * of connection.
+     *
+     * <p>One of the "android.permission.INTERACT_ACROSS_XXX" permissions is required. The exact one
+     * depends on the calling user's relationship to the target user, whether client and server are
+     * in the same or different apps, and the version of Android in use. See {@link
+     * Context#bindServiceAsUser}, the essential underlying Android API, for details.
+     */
     @ExperimentalApi("https://github.com/grpc/grpc-java/issues/10173")
     public Builder setTargetUser(@Nullable UserHandle targetUser) {
       this.targetUser = targetUser;
diff --git a/binder/src/main/java/io/grpc/binder/ApiConstants.java b/binder/src/main/java/io/grpc/binder/ApiConstants.java
@@ -35,12 +35,15 @@ private ApiConstants() {}
   /**
    * Specifies the Android user in which target URIs should be resolved.
    *
-   * <p>{@link UserHandle} can't reasonably be encoded in a target URI string. Instead, all
-   * {@link io.grpc.NameResolverProvider}s producing {@link AndroidComponentAddress}es should let
-   * clients address servers in another Android user using this argument.
+   * <p>{@link UserHandle} can't reasonably be encoded in a target URI string. Instead, all {@link
+   * io.grpc.NameResolverProvider}s producing {@link AndroidComponentAddress}es should let clients
+   * address servers in another Android user using this argument.
    *
-   * <p>See also {@link AndroidComponentAddress#getTargetUser()}.
+   * <p>Connecting to a server in a different Android user is uncommon and can only be done by a
+   * "system app" client with special permissions. See {@link
+   * AndroidComponentAddress.Builder#setTargetUser(UserHandle)} for details.
    */
+  @ExperimentalApi("https://github.com/grpc/grpc-java/issues/10173")
   public static final NameResolver.Args.Key<UserHandle> TARGET_ANDROID_USER =
       NameResolver.Args.Key.create("target-android-user");
 }
diff --git a/binder/src/main/java/io/grpc/binder/BinderChannelBuilder.java b/binder/src/main/java/io/grpc/binder/BinderChannelBuilder.java
@@ -242,9 +242,9 @@ public BinderChannelBuilder securityPolicy(SecurityPolicy securityPolicy) {
    * specify a {@link UserHandle}. If neither the Channel nor the {@link AndroidComponentAddress}
    * specifies a target user, the {@link UserHandle} of the current process will be used.
    *
-   * <p>Targeting a Service in a different Android user is uncommon and requires special permissions
-   * normally reserved for system apps. See {@link android.content.Context#bindServiceAsUser} for
-   * details.
+   * <p>Connecting to a server in a different Android user is uncommon and can only be done by a
+   * "system app" client with special permissions. See {@link
+   * AndroidComponentAddress.Builder#setTargetUser(UserHandle)} for details.
    *
    * @deprecated This method's name is misleading because it implies an impersonated client identity
    *     when it's actually specifying part of the server's location. It's also no longer necessary

Original file line number	Diff line number	Diff line change
`@@ -242,9 +242,9 @@ public BinderChannelBuilder securityPolicy(SecurityPolicy securityPolicy) {`
`242`	`242`	`* specify a {@link UserHandle}. If neither the Channel nor the {@link AndroidComponentAddress}`
`243`	`243`	`* specifies a target user, the {@link UserHandle} of the current process will be used.`
`244`	`244`	`*`
`245`		`- * <p>Targeting a Service in a different Android user is uncommon and requires special permissions`
`246`		`- * normally reserved for system apps. See {@link android.content.Context#bindServiceAsUser} for`
`247`		`- * details.`
	`245`	`+ * <p>Connecting to a server in a different Android user is uncommon and can only be done by a`
	`246`	`+ * "system app" client with special permissions. See {@link`
	`247`	`+ * AndroidComponentAddress.Builder#setTargetUser(UserHandle)} for details.`
`248`	`248`	`*`
`249`	`249`	`* @deprecated This method's name is misleading because it implies an impersonated client identity`
`250`	`250`	`* when it's actually specifying part of the server's location. It's also no longer necessary`